Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4061: Red Hat Security Advisory: .NET 6.0 security, bug fix, and enhancement update

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-33170: A vulnerability was found in dotNET applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords and bypass security restrictions. This flaw allows a remote attacker to bypass security features, causing an impact on confidentiality, integrity, and availability.
Red Hat Security Data
#vulnerability#web#linux#red_hat#nodejs#js#kubernetes#aws

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-07-13

Updated:

2023-07-13

RHSA-2023:4061 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: .NET 6.0 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (SDK 6.0.120, Runtime 6.0.20). (BZ#2219635)

Security Fix(es):

  • dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method (CVE-2023-33170)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • dotNET on RHEL (for RHEL Server) 1 x86_64
  • dotNET on RHEL (for RHEL Workstation) 1 x86_64
  • dotNET on RHEL (for RHEL Compute Node) 1 x86_64

Fixes

  • BZ - 2221854 - CVE-2023-33170 dotnet: race condition in Core SignInManager<TUser> PasswordSignInAsync method

dotNET on RHEL (for RHEL Server) 1

SRPM

rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm

SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9

x86_64

rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca

rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07

rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f

rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357

rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608

rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm

SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536

rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f

rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5

rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1

rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f

rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9

rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c

rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm

SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7

dotNET on RHEL (for RHEL Workstation) 1

SRPM

rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm

SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9

x86_64

rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca

rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07

rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f

rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357

rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608

rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm

SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536

rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f

rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5

rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1

rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f

rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9

rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c

rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm

SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7

dotNET on RHEL (for RHEL Compute Node) 1

SRPM

rh-dotnet60-dotnet-6.0.120-1.el7_9.src.rpm

SHA-256: 311f63198ca29268ce4162ea975f393d33bd743b3c7428130ea8a27ddc37beb9

x86_64

rh-dotnet60-aspnetcore-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f4c5105b852f9060f79bf90f073e374629676f7e5af48f59565b1a2cd89dfeca

rh-dotnet60-aspnetcore-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: f1ec073426c68acfc47189754563e42c3a29fb9b103cf75374febbb4414dba07

rh-dotnet60-dotnet-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 93329b81631c70d79b9281e68f6ca231bec455e96f3a57d16904eac4b0b5034f

rh-dotnet60-dotnet-apphost-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 5a35c31db104f5e7f770e24608994b1c44dc7a84106548d2ab9b42c9e1f4b357

rh-dotnet60-dotnet-debuginfo-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 58bd2b1a4bc8d20c67c2bfb709d430569612fe7525f6fd0b4d991dba07cb1608

rh-dotnet60-dotnet-host-6.0.20-1.el7_9.x86_64.rpm

SHA-256: d154a1970e96fe9ad84ff63bd9130f99d52c51b1a1290c9d3d3a72d11db21536

rh-dotnet60-dotnet-hostfxr-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6def9036f3c7b1f58b87d9f64d1f766c4e58aa0e6043eac16de1cea94f4f307f

rh-dotnet60-dotnet-runtime-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: ac97a6f24f3fe62b4c58481ade1948f117fc21cb418b2033d6fb29b2f8004bc5

rh-dotnet60-dotnet-sdk-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 1e00368bc12f4f7b82d0b291b3cd9d8796bfb37e55eca9c3e0baa479e3c590a1

rh-dotnet60-dotnet-sdk-6.0-source-built-artifacts-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 6e19311812923935110e506ae689a71a126bb16f1b1bee207bf27fec8092da9f

rh-dotnet60-dotnet-targeting-pack-6.0-6.0.20-1.el7_9.x86_64.rpm

SHA-256: 6555333a32e7756bb5ea3a84b58d246a2b51300ea8ae7b0365829c45f3dadbe9

rh-dotnet60-dotnet-templates-6.0-6.0.120-1.el7_9.x86_64.rpm

SHA-256: 01be8908f6fb816650f00219adeb0fec50e8a99dfcb20d3585d8648deda0ee1c

rh-dotnet60-netstandard-targeting-pack-2.1-6.0.120-1.el7_9.x86_64.rpm

SHA-256: e43da48a68e734f959be3a6d2ca1763b3679825d072427981538ef1696e76ea7

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Red Hat Security Advisory 2023-4449-01

Red Hat Security Advisory 2023-4449-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.120 and .NET Runtime 6.0.20. Issues addressed include code execution, denial of service, and heap corruption vulnerabilities.

Red Hat Security Advisory 2023-4448-01

Red Hat Security Advisory 2023-4448-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.120 and .NET Runtime 6.0.20. Issues addressed include code execution, denial of service, and heap corruption vulnerabilities.

RHSA-2023:4448: Red Hat Security Advisory: .NET 6.0 security update

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29331: A vulnerability was found in dotnet. This issue can lead to a denial of service while processing X509 Certificates. * CVE-2023-29337: A vulnerability was found in dotnet. This issue exists in NuGet where a potential race condition can lead to a symlink attack. * CVE-2023-33128: A vulnerability was found in dotnet. This...

RHSA-2023:4449: Red Hat Security Advisory: .NET 6.0 security update

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29331: A vulnerability was found in dotnet. This issue can lead to a denial of service while processing X509 Certificates. * CVE-2023-29337: A vulnerability was found in dotnet. This issue exists in NuGet where a potential race condition can lead to a symlink attack. * CVE-2023-33128: A vulnerability was found in dotnet. This...

Red Hat Security Advisory 2023-4058-01

Red Hat Security Advisory 2023-4058-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

Ubuntu Security Notice USN-6217-1

Ubuntu Security Notice 6217-1 - McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did not properly update account lockout maximum failed attempts. An attacker could possibly use this issue to bypass the security feature and attempt to guess more passwords for an account.

GHSA-25c8-p796-jg6r: Microsoft Security Advisory CVE-2023-33170: .NET Security Feature Bypass Vulnerability

# Microsoft Security Advisory CVE-2023-33170: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and above. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exist in ASP.NET Core applications where account lockout maximum failed attempts may not be immediately updated, allowing an attacker to try more passwords. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/aspnetcore/issues/49334 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any ASP.NET 7.0 application running on .NET 7.0.8 or earlier. * Any ASP.NET 6.0 application running on .NET 6.0.19 or earlier. * Any ASP.N...

CVE-2023-33170

ASP.NET and Visual Studio Security Feature Bypass Vulnerability

CVE-2023-33170: ASP.NET and Visual Studio Security Feature Bypass Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment.